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(1) REAL PARTY IN INTEREST 

The real party in interest in the above-referenced patent 
application is Hewlett-Packard Development Company, LP, a 
limited partnership established under the laws of the State of 
Texas and having a principal place of business at 20555 S.H. 249 
Houston, TX 77070, U.S.A. (hereinafter "HPDC"). HPDC is a 
Texas limited partnership and is a wholly-owned affiliate of 
Hewlett-Packard Company, a Delaware Corporation, 
headquartered in Palo Alto, CA. The general or managing partner 
of HPDC is HPQ Holdings, LLC. 

(2) RELATED APPEALS AND INTERFERENCES 

There are no related appeals or interferences currently 
known to appellants, appellants' legal representatives or the 
assignee, which will directly affect, or be directly affected by, or 
have a bearing on, the Board's decision. 

(3) STATUS OF CLAIMS 

Claims 1-22 were filed with the application. Claims 1-22 
remain pending at the time of appeal, all of which stand rejected. 
The rejection of claims 1-22 is appealed. 



Page 2 of 38 



Serial No. 09/678,933 
Robert P. Martin, et al. 
Atty Dkt. 10004763-1 



(4) STATUS OF AMENDMENTS 

No amendments were filed or entered subsequent to the 
final rejection mailed February 3, 2005 

(5) SUMMARY OF THE CLAIMED SUBJECT MATTER 

Appellants' invention as independently claimed is 
summarized and explained below with reference numerals, 
specification page numbers and drawing figure numbers 
indicating, in an exemplary manner, where the claim finds support 
in the specification and drawings. 

1 . A method of securely connecting a plurality of client 
computers (44, 46, 50) to computer resources (12) in a shared 
computer system, comprising: 

associating each of said plurality of client computers 
(44, 46, 50) with at least one virtual private network 
connection, wherein said plurality of client computers (52, 
54, 56, 64, 70) are remotely connected to at least one virtual 
private network termination device (60) in said shared 
computer system, said shared computer system comprising 
an application service provider, and wherein said at least 
one virtual private network connection is established by said 
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at least one virtual private network termination device (60) 
[Fig. 1; page 9, line 30 - page 10, line 7]; 

associating said at least one virtual private network 
connections with a plurality of virtual local area networks (82, 
84, 86, 90); [Fig. 2; page 11, line 32 - page 12, line 10] and 

associating at least one of said computer resources 
(12) in said shared computer system with each of said 
plurality of virtual local area networks (82, 84, 86, 90), 
whereby a domain (62, 66, 72) for each of said plurality of 
client computers (52, 54, 56, 64, 70) is extended to include 
said computer resources (12) in said application service 
provider and said plurality of client computer domains (62, 
66, 72) are isolated from each other within said application 
service provider [Figs. 1, 2; page 14, lines 28-33]. 

16. A secure computer system, comprising: 

a plurality of computer resources (212) [Fig. 3; page 
17, lines 23-32]; 

at least one virtual local area network switch (282) 

electrically connected to said plurality of computer resources 

(212) [Fig. 3; page 19, lines 12-32]; 

at least one virtual private network termination device 

(260) electrically connected to said at least one virtual local 

area network switch (282), wherein said at least one virtual 
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local area network switch (282) is configurable to 
changeably connect a plurality of virtual private network 
connections in said at least one virtual private network 
termination device (260) to at least one of said plurality of 
computer resources (212) while isolating said plurality of 
virtual private network connections from one another [Fig. 3; 
page 19, lines 12-32]; and 

a configuration engine (242) electrically connected to 
said at least one virtual local area network switch (282), said 
configuration engine (242) comprising computer readable 
program code for configuring said at least one virtual local 
area network switch (282) to changeably connect each of 
said plurality of virtual private network connections to at least 
one of said plurality of computer resources (12) while 
isolating said plurality of virtual private network connections 
from one another [Fig. 3; page 19, lines 12-32]. 

22. A secure computer system, comprising: 

a plurality of computer resources (12) within an 
application service provider [Fig. 3; page 17, lines 23-32]; 

means for securely connecting each of a plurality of 
client computers (52, 54, 56, 64, 70) to a portion of said 
plurality of computer resources (12) in said application 
service provider while isolating said portion of said plurality 
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of computer resources (12) from a second portion of said 
plurality of computer resources (12) [Figs. 1, 2; page 14, 
lines 28-33]. 

(6) GROUNDS OF REJECTION TO BE REVIEWED ON APPEAL 

It is noted that, in the final rejection, claims 1-22 are 
provisionally rejected under the judicially created doctrine of 
obviousness-type double patenting as being unpatentable over 
claims 1-20 of appellants' application serial no. 09/584,252. On 
May 2, 2005, however, after the date of the final rejection, 
appellants filed an express abandonment directed to application 
serial no. 09/584,252. Since application serial no. 09/584,252 is 
abandoned, it is believed that the provisional double patenting 
rejection raised in the final rejection is moot and, thus, does not 
represent an issue on appeal. 

A. Claims 1-22 stand rejected under 35 U.S.C. §1 03(a) as 
being unpatentable over McNeill et al. (U.S. Patent No. 
6,167,052) in view of Ahmed et al. (U.S. Patent No. 
5,432,785). 
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(7) ARGUMENT 

Relevant Law 

Legal Basis for Obviousness under 35 §U.S.C. §103 
The test for obviousness under 35 U.S.C. 103 is whether the 
claimed invention would have been obvious to those skilled in the 
art in light of the knowledge made available by the reference or 
references. In re Donovan, 184 USPQ 414, 420, n. 3 (CCPA 

1 975) . It requires consideration of the entirety of the disclosures 
of the references. In re Rinehart, 189 USPQ 143, 146 (CCPA 

1976) . All limitations of the Claims must be considered. In re 
Boe, 184 USPQ 38, 40 (CCPA 1974). In making a determination 
as to obviousness, the references must be read without benefit of 
applicant's teachings. In re Meng, 181 USPQ 94, 97 (CCPA 
1974). In addition, the propriety of a Section 103 rejection is to be 
determined by whether the reference teachings appear to be 
sufficient for one of ordinary skill in the relevant art having the 
references before him to make the proposed substitution, 
combination, or other modifications. In re Lintner, 173 USPQ 560, 
562 (CCPA 1972). 

A basic mandate inherent in Section 1 03 is that a piecemeal 
reconstruction of prior art patents shall not be the basis for a 
holding of obviousness. It is impermissible within the framework of 
Section 1 03 to pick and choose from any one reference only so 
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much of it as will support a given position, to the exclusion of other 
parts necessary to the full appreciation of what such reference 
fairly suggests to one of ordinary skill in the art. In re Kamm, 172 
USPQ 298, 301-302 (CCPA 1972). Phrased somewhat differently, 
the fact that inventions of the references and of applicant may be 
directed to concepts for solving the same problem does not serve 
as a basis for arbitrarily choosing elements from references to 
attempt to fashion applicant's claimed invention. In re Donovan, 
184 USPQ 414, 420 (CCPA 1975). 

It is also clearly established in the case law that a change in 
the mode of operation of a device which renders that device 
inoperative for its stated utility as set forth in the cited reference 
renders the reference improper for use to support an obviousness- 
type rejection predicated on such a change. See, e.g. Diamond 
International Corp. v. Walterhoefer, 289 F.Supp. 550, 159 USPQ 
452, 460-61 (D.Md. 1968); Ex parte Weber, 154 USPQ 491, 492 
(Bd.App. 1967). In addition, any attempt to combine the teaching 
of one reference with that of another in such a manner as to 
render the invention of the first reference inoperative is not 
permissible. See, e.g., Ex parte Hartmann, 186 USPQ 366 
(Bd.App. 1974); and Ex parte Sternau, 155 USPQ 733 (Bd.App. 
1967). 

In the case of In re Wright, 6 USPQ 2d 1959 (CAFC 1988), 
the CAFC decided that the Patent Office had improperly combined 
references which did not suggest the properties and results of the 
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applicant's invention nor suggest the claimed combination as a 
solution to the problem which applicant's invention solved. 

The CCPA reached this conclusion after an analysis of the 
prior case law, at p. 1961: 

We repeat the mandate of 35 U.S.C. 103: it is the 
invention as a whole that must be considered in obviousness 
determinations. The invention as a whole embraces the 
structure, its properties, and the problem it solves. See, 
e.g., Cable Electric Products, Inc. v. Genmark, Inc., 770 F.2d 
1015, 1025, 226 USPQ 881, 886 (Fed. Cir. 1985) ("In 
evaluating obviousness, the hypothetical person of ordinary 
skill in the pertinent art is presumed to have the 'ability to 
select and utilize knowledge from other arts reasonably 
pertinent to [the] particular problem' to which the invention is 
directed"), quoting In re Antle, 444 F.2d 1168, 1171-72, 170 
USPQ 285, 287-88 (CCPA 1971); In re Antonie, 559 F.2d 
618, 619, 195 USPQ 6, 8 (CCPA 1977) ("In delineating the 
invention as a whole, we look not only in the claim in 
question... but also to those properties of the subject matter 
which are inherent in the subject matter and are disclosed in 
the Specification") (emphasis in original). 

The determination of whether a novel structure is or is 
not "obvious" requires cognizance of the properties of that 
structure and the problem which it solves, viewed in light of 
the teachings of the prior art. See, e.g., In re Rinehart, 531 
F.2d 1048, 1054, 189 USPQ 143, 149 (CCPA 1976) (the 
particular problem facing the inventor must be considered in 
determining obviousness); see also Lindemann 
Maschinenfabrik GmbH v. American Hoist and Derrick Co., 
730 F.2d 1452, 1462, 221 USPQ 481, 488 (Fed. Cir. 1984) 
(it is error to focus "solely on the product created, rather than 
on the obviousness or notoriousness of its creation") 
(quoting General Motors Corp. v. U.S. Int'l Trade Comm'n, 
687 F.2d 476, 483, 215 USPQ 484, 489 (CCPA 1982), cert, 
denied, 459 U.S. 1105 (1983). 



Page 9 of 38 



Serial No. 09/678,933 
Robert P. Martin, et al. 
Atty Dkt. 10004763-1 



Thus the question is whether what the inventor did 
would have been obvious to one of ordinary skill in the art 
attempting to solve the problem upon which the inventor was 
working. Rinehart, 531 F.2d at 1054, 189 USPQ at 149; see 
also In re Benno, 768 F.2d 1340, 1345, 226 USPQ 683, 687 
(Fed. Cir. 1985) ("appellant's problem" and the prior art 
present different problems requiring different solutions"). 

A reference which teaches away from the applicant's 
invention may not properly be used in framing a 35 U.S.C. 103 
rejection of applicant's claims. See United States v. Adams, 148 
USPQ 429 (Sup. Ct. 1966). 
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Argument re Issue A 

Claims 1-22 stand rejected under 35 U.S.C. §1 03(a) as 
being unpatentable over McNeill et al. (U.S. Patent No. 6,167,052) 
in view of Ahmed et al. (U.S. Patent No. 5,432,785). Appellants 
respectfully assert, for at least the reasons advanced below, that 
claims 1-22 are not unpatentable over McNeill et al. in view of 
Ahmed et al. 



Claims 1. 4. 5 and 9-15 
Appellants' independent claim 1 recites the following: 

A method of securely connecting a plurality of client 
computers to computer resources in a shared computer 
system, comprising: 

associating each of said plurality of client computers 
with at least one virtual private network connection, wherein 
said plurality of client computers are remotely connected to 
at least one virtual private network termination device in said 
shared computer system, said shared computer system 
comprising an application service provider, and wherein said 
at least one virtual private network connection is established 
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by said at least one virtual private network termination 
device; 

associating said at least one virtual private network 
connections with a plurality of virtual local area networks; 
and 

associating at least one of said computer resources in 
said shared computer system with each of said plurality of 
virtual local area networks, whereby a domain for each of 
said plurality of client computers is extended to include said 
computer resources in said application service provider and 
said plurality of client computer domains are isolated from 
each other within said application service provider. 

Appellants respectfully assert, for the reasons advanced 
below, that the Examiner's rejection is improper and that a prima 
facie case of obviousness has not been established. 

I. Legal Requirements for a Prima Facie Case of 
Obviousness 

MPEP Section 706.02(j) sets forth the following regarding 
the establishment of a prima facie case: 
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To establish a prima facie case of obviousness, three 
basic criteria must be met. First, there must be some 
suggestion or motivation, either in the references 
themselves or in the knowledge generally available to one of 
ordinary skill in the art, to modify the reference or to 
combine reference teachings. Second, there must be a 
reasonable expectation of success. Finally, the prior art 
reference (or references when combined) must teach or 
suggest all the claim limitations. The teaching or 
suggestion to make the claimed combination and the 
reasonable expectation of success must both be found in the 
prior art, and not based on applicant's disclosure. 

The MPEP, thus, generally sets forth three requirements for 
establishing a prima facie case of obviousness: 



1 . there must be some suggestion or motivation, either in 
the references themselves or in the knowledge 
generally available to one of ordinary skill in the art, to 
modify the reference or to combine reference 
teachings; 

2. there must be a reasonable expectation of success; 
and 

3. the prior art reference (or references when combined) 
must teach or suggest all the claim limitations; 



In addition, the teaching or suggestion to make the claimed 
combination and the reasonable expectation of success must both 
be found in the prior art, and not based on applicant's disclosure. 
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II. A Prima Facie Case of Obviousness has not been 
Established 

Appellants respectfully assert that a prima facie case has not 
been established for at least the following reasons which are 
individually discussed in further detail below: 

A) There is no motivation to combine the McNeill et al. 
and Ahmed et al. references as proposed by the 
Examiner; and 

B) Even the (improper) combination of references 
proposed by the Examiner fails to teach or suggest all 
of appellants' claim limitations. 

A) There is No Motivation to Combine 

Appellants respectfully assert that the Examiner has failed to 
establish a prima facie case of obviousness because there is no 
suggestion or combine the reference teachings as proposed by 
the Examiner. The Examiner states the following on page 9 of the 
final rejection regarding the instant rejection: 

McNeil, however, does not expressly disclose that the clients 
who are remotely connecting (i.e., over a public network 
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such as Internet) to the stations in VLANs at least through 
one switch, are associated with at least one virtual private 
network (VPN) connection. 

The Examiner, thus, admits that the primary reference, 
McNeill et al., fails to disclose or suggest "associating each of said 
plurality of client computers with at least one virtual private 
network connection" as recited in appellants' claim 1 , but takes the 
position, that this limitation would be obvious in view of the Ahmed 
reference. Appellants respectfully assert that the Examiner's 
position is improper because there is no motivation to combine the 
McNeill et al. and Ahmed et al. references as proposed by the 
Examiner. As noted above, there must be some suggestion or 
motivation, either in the references themselves or in the 
knowledge generally available to one of ordinary skill in the art, to 
modify the reference or to combine reference teachings. MPEP 
§706.020). 

The Examiner has provided no basis for a teaching or 
suggestion in the prior art for combining elements as proposed in 
the final rejection. The Examiner's argument regarding 
obviousness is as follows: 

It would have been obvious to one skilled in the art, at 
the time the invention was made, to implement the VPN 
connectivity for each client through at least one switch port 
to a remote location as taught in Ahmed in the system of 
McNeil, because it would provide protected virtual private 
channel connections (corresponding to the recited a one to 
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one correspondence) between clients and computer 
resources (i.e., isolating the VPNs connections from one 
another) (col. 3, lines 9-26). 

(final rejection, page 10, emphasis added) 

The language italicized above represents the Examiner's 
only explanation regarding a teaching or suggestion to combine. 
This language, however, is simply an unsupported statement 
made by the Examiner. In order to establish a prima facie case, a 
teaching or suggestion to combine must be found in the prior art. 
See, e.g., Arkie Lures, Inc. v. Gene Larew Tackle, Inc., supra. 
The Examiner has not referred to any prior art in support of his 
position that a motivation or suggestion to combine exists but, 
instead, apparently expects his unsupported conclusory statement 
to suffice. Such an unsupported statement, however, cannot 
constitute the evidence required to establish existence of a 
motivation or suggestion to combine: 

Whether the Board relies on an express or an implicit 
showing [of a motivation, suggestion or teaching to modify 
the teachings of a reference], it must provide particular 
findings related thereto.... Broad conclusory statements 
standing alone are not "evidence". 

In re Kotzab, 55 USPQ2d 1313, 1317 (Fed. Cir. 2000) (citing 
In re Dembiczak, 50 USPQ2d 1614, 1617 (Fed. Cir. 1999)) 

Accordingly, the Examiner's statement does not constitute a 
showing of a teaching or suggestion to combine. At the very least, 
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an examiner must prove that some motivation or suggestion to 
combine can be found in knowledge generally available to one of 
ordinary skill in the art (see, MPEP 706.02Q) reproduced above). 
In the present case, however, the Examiner provides no evidence 
that the requisite knowledge is generally available but, instead, 
attempts to rely on personal opinion. Such personal opinion does 
not represent an adequate substitute for evidence. 



In short, it appears that the Examiner's proposed 
combination of McNeill et al. and Ahmed et al. is based solely on 
hindsight derived from appellants' specification. The use of 
hindsight in this manner is clearly prohibited by the relevant case 
law: 

Obviousness can not be established by hindsight 
combination to produce the claimed invention. In re 
Gorman, 933 F.2d 982, 986, 18 USPQ2d 1885, 1888 (Fed. 
Cir. 1991). As discussed in Interconnect Planning Corp. v. 
Foil, 774 F.2d 1132, 1143, 227 USPQ 543, 551 (Fed. Cir. 
1985), it is the prior art itself, and not the applicant's 
achievement, that must establish the obviousness of the 
combination. 

In re Dance, 48 USPQ2d 1635, 1637 (Fed. Cir. 1998) 



Obviousness may not be established using hindsight. See 
W.L. Gore &Assocs., Inc. v. Garlock, Inc., 721 F.2d 1540, 
1551, 220 USPQ 303, 312-13 (Fed. Cir. 1983). 
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Kahn v. General Motors Corp., 45 USPQ2d 1608, 1613 
(Fed. Cir. 1998) 

B) Even the (improper) combination of references 
proposed by the Examiner fails to teach or suggest all of 
appellants' claim limitations. 

Appellants further assert that the Examiner's rejection is 
improper because the McNeill et al. and Ahmed et al references, 
even when combined as (improperly) proposed by the Examiner, 
fail to teach or suggest all the claim limitations. 

Once again, appellants' claim 1 recites the following: 

A method of securely connecting a plurality of client 
computers to computer resources in a shared computer 
system, comprising: 

associating each of said plurality of client computers 
with at least one virtual private network connection, wherein 
said plurality of client computers are remotely connected to 
at least one virtual private network termination device in said 
shared computer system, said shared computer system 
comprising an application service provider, and wherein said 
at least one virtual private network connection is established 



Page 18 of 38 



Serial No. 09/678,933 
Robert P. Martin, et al. 
Atty Dkt. 10004763-1 



by said at least one virtual private network termination 
device; 

associating said at least one virtual private network 
connections with a plurality of virtual local area networks; 
and 

associating at least one of said computer 
resources in said shared computer system with each of 
said plurality of virtual local area networks, whereby a 
domain for each of said plurality of client computers is 
extended to include said computer resources in said 
application service provider and said plurality of client 
computer domains are isolated from each other within 
said application service provider. 

(emphasis added) 

Although McNeill does disclose a plurality of VLANS (see 
McNeill, FIG. 2), they all appear in a single domain, the "Layer 2 
Domain" shown in McNeill, FIG. 2. McNeill therefore does not 
disclose or suggest the claimed shared computer system in which 
multiple client domains are extended and isolated. Similarly, 
Ahmed does not disclose a shared computer system in which 
multiple client domains are extended and isolated. For example, 
Ahmed et al. FIG. 4 illustrates multiple customers that share a 
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virtual path link 58 and a broadband switching system 61 , but 
clearly shows that the customer locations are isolated at each end 
of the connection, rather than extending into a shared computer 
system. Thus, even the Examiner's proposed (improper) 
combination of references fails to teach or suggest all of the 
limitations of appellants' claim 1. 

Claims 2-15 are allowable at least as ultimately depending 
from allowable base claim 1. Claims 3, 6, 7 and 8 are allowable 
on further independent grounds for the reasons discussed below. 
For purposes of this appeal, dependent claims 4, 5, and 9-15 
stand or fall with independent claim 1 . 

Claim 3 

Dependent claim 3 recites the following: 

The method of claim 1 , wherein a plurality of said at 
least one virtual private network connections is uniquely 
associated with one of said plurality of virtual local area 
networks. 

Neither McNeill et al. nor Ahmed et al. disclose or suggest 
multiple private network connections connected to a single virtual 
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local area network. Accordingly, the rejection of claim 3 is 
improper. 

Claim 6 

Dependent claim 6 recites the following: 

The method of claim 4, further comprising said 
configuration engine reading computer requirements from at 
least one client. 

The Examiner states the following on page 1 1 of the final 
rejection regarding claim 6: 

McNeil [sic] discloses that connection for client to access 
resources on the network is restricted and provided based 
on some criteria (citations omitted). 

The Examiner may be correct in asserting that McNeill et al. 
discloses a connection restricted or provided based on some 
criteria. McNeill et al. does not, however, disclose or suggest that 
a configuration engine reads computer requirements from the 
client as recited in claim 6. Ahmed et al. does nothing to remedy 
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this inadequacy of McNeill et al. Accordingly, the rejection of claim 
6 is improper. 

Claim 7 

Dependent claim 7 recites the following: 

The method of claim 6, further comprising said 
configuration engine calculating an optimum allocation of 
said plurality of computer resources to meet said computer 
requirements of said at least one client. 

The Examiner states the following on page 12 of the final 
rejection regarding claim 7 

McNeil [sic] discloses that connection for client to access 
resources on the network is restricted and provided based 
on some criteria (citations omitted). 

Again, even if Examiner is correct in asserting that McNeill et 
al. discloses a connection restricted or provided based on some 
criteria, McNeill et al. clearly does not disclose or suggest that a 
configuration engine calculates "an optimum allocation of ... 
resources" to meet client needs as recited in claim 7. Ahmed et 
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al. does nothing to remedy this inadequacy of McNeill et al. 
Accordingly, the rejection of claim 7 is improper. 

Claim 8 

Dependent claim 8 recites the following: 

The method of claim 4, further comprising said 
configuration engine configuring said at least one virtual 
local area network switch to connect at least two of said 
plurality of client computers to a same one of said plurality of 
virtual local area networks. 

Neither McNeill et al. nor Ahmed et al. disclose or suggest 
multiple client computers connected to a single virtual local area 
network. Accordingly, the rejection of claim 8 is improper. 

Claims 16. 20 and 21 

Appellants' claim 16 recites the following: 

A secure computer system, comprising: 
a plurality of computer resources; 
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at least one virtual local area network switch 
electrically connected to said plurality of computer 
resources; 

at least one virtual private network termination device 
electrically connected to said at least one virtual local area 
network switch, wherein said at least one virtual local area 
network switch is configurable to changeably connect a 
plurality of virtual private network connections in said at least 
one virtual private network termination device to at least one 
of said plurality of computer resources while isolating said 
plurality of virtual private network connections from one 
another; and 

a configuration engine electrically connected to 
said at least one virtual local area network switch, said 
configuration engine comprising computer readable 
program code for configuring said at least one virtual 
local area network switch to changeably connect each 
of said plurality of virtual private network connections to 
at least one of said plurality of computer resources 
while isolating said plurality of virtual private network 
connections from one another. 

(emphasis added) 
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Appellants respectfully assert that the Examiner's rejection 
of claim 16 is improper because a prima facie case of obviousness 
has not been established. Specifically, appellants assert that a 
prima facie case has not established because there is no 
motivation to combine the McNeill et al. and Ahmed et al. 
references as proposed by the Examiner. Appellants hereby 
reassert the motivation to combine arguments advanced above 
with respect to the rejection of claim 1 . 

Appellants further assert that a prima facie case has not 
established because even the (improper) combination of 
references proposed by the Examiner fails to teach or suggest all 
of appellants' claim limitations. 

Although McNeill does disclose a plurality of VLANS (see 
McNeill, FIG. 2), they all appear in a single domain, the "Layer 2 
Domain" shown in McNeill, FIG. 2. McNeill therefore does not 
disclose or suggest the claimed configuration engine that 
configures a VLAN switch to changeably connect each of a 
plurality of VPN connections to a plurality of computer resources 
while isolating the VPN connections from one another. Ahmed et 
al. fails to remedy this inadequacy. 

Claims 17-21 are allowable at least as ultimately depending 
from allowable base claim 16. Claims 17-19 are allowable on 
further independent grounds for the reasons discussed below. For 
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purposes of this appeal, dependent claims 20 and 21 stand or fall 
with independent claim 16. 

Claim 17 

Dependent claim 17 recites the following: 

The secure computer system of claim 16, wherein said 
computer readable program code in said configuration 
engine further comprises code for a graphical user interface 
to manually configure said virtual local area network switch. 

The Examiner states the following on page 13 of the final 
rejection regarding claim 17: 

McNeil [sic] discloses that the management station 
includes software and provides a graphical user interface for 
network administrator to configure the VLAN (see, for 
example, abstract; Fig. 1; col. 4, lines 38-41; col. 9, lines 35- 
43). 

The portions of McNeill et al. referenced by the Examiner are 
reproduced below. 

A network includes a number of domains ("layer 2 
domains") interconnected by routers. Within each domain, 
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traffic is forwarded based on MAC addresses (or other data 
link layer addresses). The routers route traffic based on IP 
addresses or other network layer addresses. To restrict 
network connectivity, a network administrator specifies 
connectivity groups each of which is a group of sub-networks 
that are allowed to communicate. The administrator also 
specifies which entities (MAC addresses, ports, or user 
names) belong to the same group. The entities may be in the 
same or different domains. A computer system automatically 
creates access control lists for routers to allow or deny traffic 
as specified by the administrator. The computer system also 
creates VLANs to allow or deny traffic as specified, wherein 
each VLAN is part of a domain or is a whole domain. 
Connectivity within each domain is restricted by VI_ANs and 
connectivity between domains is restricted by access control 
lists. 

(abstract) 



Management station 124M includes storage 192 for 
storing programs and data and also includes user interface 
devices 194 such as a keyboard, a screen, and/or other 
interface devices. 

(col. 4, lines 38-41) 



Management station 124M instructs each router 130 to 
delete any existing access control lists and to substitute the 
new access control lists. 

Some embodiments allow the network administrator to 
insert additional commands into the access control list. Thus, 
in some embodiments, before step M50, the administrator 
can specify for each subnet additional terms to be inserted 
into the access control list for the corresponding interface(s). 
More particularly, the administrator can specify.... 
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(col. 9, lines 35-43) 

Although a user interface is discussed in some of the 
passages cited by the Examiner, McNeill et al. does not disclose a 
graphical user interface as recited in claim 17. Accordingly, the 
rejection of claim 17 is improper. 

Claim 18 

Dependent claim 18 recites the following: 

The secure computer system of claim 16, wherein said 
computer readable program code in said configuration engine 
further comprises code for automatically configuring said 
virtual local area network switch. 

McNeill et al. does not disclose a management station that 
automatically configures the network switch as recited in claim 18. 
McNeill et al. specifically teaches that a network administrator 
enters information defining traffic for a connectivity group: 

To configure the domains, a network administrator enters for 
each connectivity group information defining traffic that 
belongs to the group. 
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(McNeill et al., col. 2, lines 37-39) 

Claim 19 

Dependent claim 19 recites the following: 

The secure computer system of claim 16, wherein said 
computer readable program code in said configuration engine 
further comprises code for reading client computer 
requirements across said plurality of virtual private network 
connections. 

The Examiner states the following on page 1 1 of the final 
rejection regarding the rejection of claim 19: 

McNeil [sic] discloses that connection for client to access 
resources on the network is restricted and provided based on 
some criteria (citations omitted). 

Even if the Examiner is correct in asserting that McNeill et al. 
discloses a connection restricted or provided based on some 
criteria, McNeill et al. does not disclose or suggest "program code 
... for reading client computer requirements" as recited in claim 19. 
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Ahmed et al. does nothing to remedy this inadequacy of McNeill et 
al. Accordingly, the rejection of claim 19 is improper. 

Claim 22 

Appellants' claim 22 recites the following: 

A secure computer system, comprising: 
a plurality of computer resources within an 
application service provider; 

means for securely connecting each of a plurality of 
client computers to a portion of said plurality of 
computer resources in said application service provider 
while isolating said portion of said plurality of computer 
resources from a second portion of said plurality of 
computer resources." 

Appellants respectfully assert that the Examiner's rejection of 
claim 22 is improper because a prima facie case of obviousness 
has not been established. Specifically, appellants assert that a 
prima facie case has not established because there is no 
motivation to combine the McNeill et al. and Ahmed et al. 
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references as proposed by the Examiner. Appellants hereby 
reassert the motivation to combine arguments advanced above 
with respect to the rejection of claim 1 . 

Appellants further assert that a prima facie case has not 
established because even the (improper) combination of 
references proposed by the Examiner fails to teach or suggest all 
of the limitations of appellants' claim 22. The cited references do 
not disclose a plurality of computer resources within an application 
service provider, nor means for securely connecting client 
computers to resources in the application service provider while 
isolating the clients. 

For the reasons set forth above, appellants respectfully 
assert that all of the claims are allowable and that, accordingly, all 
of the rejections should be reversed. 



Respectfully submitted, 

KLAAS, LAW, O'MEARA & MALKIN, P.C. 




Registration No. 32,697 
1999 Broadway, STE 2225 
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(8) CLAIMS APPENDIX 

1 . A method of securely connecting a plurality of client 
computers to computer resources in a shared computer system, 
comprising: 

associating each of said plurality of client computers 
with at least one virtual private network connection, wherein 
said plurality of client computers are remotely connected to at 
least one virtual private network termination device in said 
shared computer system, said shared computer system 
comprising an application service provider, and wherein said 
at least one virtual private network connection is established 
by said at least one virtual private network termination device; 

associating said at least one virtual private network 
connections with a plurality of virtual local area networks; and 

associating at least one of said computer resources in 
said shared computer system with each of said plurality of 
virtual local area networks, whereby a domain for each of 
said plurality of client computers is extended to include said 
computer resources in said application service provider and 
said plurality of client computer domains are isolated from 
each other within said application service provider. 
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2. The method of claim 1, wherein each of said at least 
one virtual private network connections is uniquely associated with 
one of said plurality of virtual local area networks, so that a one to 
one correspondence exists between said at least one virtual private 
network connection and said plurality of virtual local area networks. 

3. The method of claim 1, wherein a plurality of said at 
least one virtual private network connections is uniquely associated 
with one of said plurality of virtual local area networks. 

4. The method of claim 1, further comprising a 
configuration engine in said shared computer system configuring at 
least one virtual local area network switch to establish said plurality 
of virtual local area networks. 

5. The method of claim 1, further comprising a 
configuration engine in said shared computer system configuring 
said at least one virtual private network termination device to 
establish said at least one virtual private network connection. 

6. The method of claim 4, further comprising said 
configuration engine reading computer requirements from at least 
one client. 
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7. The method of claim 6, further comprising said 
configuration engine calculating an optimum allocation of said 
plurality of computer resources to meet said computer 
requirements of said at least one client. 

8. The method of claim 4, further comprising said 
configuration engine configuring said at least one virtual local area 
network switch to connect at least two of said plurality of client 
computers to a same one of said plurality of virtual local area 
networks. 

9. The method of claim 1 , wherein at least one of said 
plurality of client computers is connected to said shared computer 
system across a dedicated line. 

1 0. The method of claim 1 , wherein at least one of said 
plurality of client computers is connected to said shared computer 
system across the Internet. 

11. The method of claim 10, wherein at least one of said 
plurality of client computers is connected to said shared computer 
system with a modem. 
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12. The method of claim 10, wherein at least one of said 
plurality of client computers is connected to said shared computer 
system with a broadband connection. 

13. The method of claim 1, said shared computer system 
further comprising computer readable program code for 
authenticating client computer identification, said method further 
comprising executing said computer readable program code to 
authenticate client computer identification before associating each 
of said plurality of client computers with at least one virtual private 
network connection. 

14. The method of claim 1, said shared computer system 
further comprising at least one firewall, said method further 
comprising configuring said at least one firewall to accept data from 
each of said plurality of client computers. 

15. The method of claim 14, further comprising a 
configuration engine in said shared computer system configuring 
said at least one firewall to accept data from each of said plurality 
of client computers. 

16. A secure computer system, comprising: 
a plurality of computer resources; 
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at least one virtual local area network switch electrically 
connected to said plurality of computer resources; 

at least one virtual private network termination device 
electrically connected to said at least one virtual local area 
network switch, wherein said at least one virtual local area 
network switch is configurable to changeably connect a 
plurality of virtual private network connections in said at least 
one virtual private network termination device to at least one 
of said plurality of computer resources while isolating said 
plurality of virtual private network connections from one 
another; and 

a configuration engine electrically connected to said at 
least one virtual local area network switch, said configuration 
engine comprising computer readable program code for 
configuring said at least one virtual local area network switch 
to changeably connect each of said plurality of virtual private 
network connections to at least one of said plurality of 
computer resources while isolating said plurality of virtual 
private network connections from one another. 

17. The secure computer system of claim 16, wherein said 
computer readable program code in said configuration engine 
further comprises code for a graphical user interface to manually 
configure said virtual local area network switch. 
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18. The secure computer system of claim 16, wherein said 
computer readable program code in said configuration engine 
further comprises code for automatically configuring said virtual 
local area network switch. 

19. The secure computer system of claim 16, wherein said 
computer readable program code in said configuration engine 
further comprises code for reading client computer requirements 
across said plurality of virtual private network connections. 

20. The secure computer system of claim 16, further 
comprising at least one firewall connected to said plurality of virtual 
private network connections. 

21. The secure computer system of claim 16, further 
comprising computer readable program code for authenticating 
identification of client computers connected to said plurality of 
virtual private network connections. 

22. A secure computer system, comprising: 

a plurality of computer resources within an application 
service provider; 

means for securely connecting each of a plurality of 
client computers to a portion of said plurality of computer 
resources in said application service provider while isolating 
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said portion of said plurality of computer resources from a 
second portion of said plurality of computer resources. 
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